Analytics Story: AwfulShred
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred, and service stops.
Why it matters
AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. It uses shred command to overwrite files and to increase data damage. This obfuscated malicious script can also disable and corrupts apache, HTTP and SSH services, deactivate swap files, clear bash history and finally reboot the system.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Linux Auditd Execve |  Linux |
auditd |
auditd |
| Linux Auditd Proctitle | Linux |
auditd |
auditd |
| Linux Auditd Service Stop | Linux |
auditd |
auditd |
| Sysmon for Linux EventID 1 | Linux |
sysmon:linux |
Syslog:Linux-Sysmon/Operational |
| Sysmon for Linux EventID 11 | Linux |
sysmon:linux |
Syslog:Linux-Sysmon/Operational |
References
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/
- https://cert.gov.ua/article/3718487
Source: GitHub | Version: 1